Subject: Re: Getting rid of /dev/veriexec
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 12/02/2005 16:48:25
Steven M. Bellovin wrote:

> ntpd.  ftpd has to run as root part of the time, to bind to port 20.  
> apache keeps a portion of itself as root; suexec, if you use it (and 
> you probably should), always runs as root.

I'm not familiar with the code of these programs. Are you sure these
are all programs that fork a root-owned process, chroot, and continue
operation?

I'd expect ftpd to set-user-id. I think ntpd has a dedicated user and
by default uses it (I remember that from a recent code fix). Apache
forks www-owned processes; I'm not sure if it chroots the master
process. As for suexec I have no idea.

One thing common to the programs mentioned (except for suexec, that
I don't know) is that they all have remotely exploitable root holes.
From a security point of view, they are by no means any model for
doing things right...

> Elad, you've given your reasons why using sysctl isn't a problem.  What 
> you haven't said clearly enough for me is why it's an advantage.

To the end-user there's not much of a difference. It's simply putting
the interface to the Veriexec tables in a more logical place, to me
anyway.

The reason Veriexec uses a device file is none of the reasons brought
up, and is actually an historic mistake; it will be unfortunate, to me,
to see it stay.

-e.

-- 
Elad Efrat